Cross-site Scripting (XSS) - Stored in tsolucio/corebosValid
Dec 12th 2021
Proof of Concept
<html:html xmlns:html='http://www.w3.org/1999/xhtml'> <html:script> alert(document.domain); </html:script> </html:html>
Steps To Reproduce
1.After login, navigate Inventory -> Product and create/edit any product.
2.While editing a product, upload a malicious XML file in product image.
3.Click Choose file and choose the XSS.xml and then click Save.
4.After uploading successfully, copy the link of the image and open it in a new tab.
The XSS will trigger when the attachment is opened in a new tab.
The link to the image will look like this: https://demo.corebos.com/storage/2021/December/week2/43906_XSS.xml
This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.